Table of Contents
Advertisement
Rules
This chapter discusses MARS Inspection and Drop rules in the following sections:
•
•
•
•
•
•
Rules Overview
An inspection rule is a real-time filter that detects interesting patterns of network activity. These patterns
can signify attacks or false positives, and they inform you of network configuration errors and other
anomalous network behavior. An attack might be straightforward, or it could be a probe, an attack, and
then a follow-up to the attack. Whatever the method of attack, attacks share common traits, and you can
use rules to define these traits to identify and mitigate attacks.
Rules create incidents. Rules connect the information you receive from your networks' reporting
devices, linking them together to form a chain of events that describes an unfolding intrusion. They
classify incoming events as firing events by matching them against the rule criteria. They also determine
when a false positive is either dropped completely or kept as information in the database.
A rule is either active or inactive. Active means the rule is operating and is being applied to incoming
events. Inactive indicates that the rule is inoperative and not consuming CS-MARS resources. To view
a list of all System Inspection rules, see
A rule cannot be deleted, it can be made active or inactive.
Note
Figure 21-1
78-17020-01
Rules Overview, page 21-1
Constructing a Rule, page 21-5
Working with System and User Inspection Rules, page 21-17
Working with Drop Rules, page 21-21
Setting Alerts, page 21-23
Rule and Report Groups, page 21-24
shows a portion of the Inspection Rules page of the Rules tab.
C H A P T E R
Appendix D, "System Rules and Reports."
User Guide for Cisco Security MARS Local Controller
21
21-1
Advertisement
Table of Contents
Troubleshooting
